b"   OFFICE OF INSPECTOR GENERAL\n\n\n\n\nInformation Collection on USITC Internet Servers\n\n\n\n\n              Inspection Report\n                OIG-IR-02-01\n\n\n\n\n                                           February 16, 2001\n\x0cInformation Collection on USITC Internet Servers                                     OIG-IR-02-01\n\n\nI.      INTRODUCTION\n\nThe United States International Trade Commission (Commission) is an independent, quasi\xe2\x80\x93judicial,\nnonpartisan Federal agency established by Congress with broad investigative powers on matters of\ntrade. The mission of the Commission is twofold: administer U.S. trade remedy laws in a fair and\nobjective manner; and provide the President, U.S. Trade Representative, and the Congress with\nindependent, quality advice and information on matters of international trade and competitiveness.\nMajor Commission activities include: import injury investigations, intellectual property\xe2\x80\x93based\ninvestigations, research, trade information services and trade policy support.\n\nII.     OBJECTIVE\n\nThe objective of this inspection was to perform a comprehensive review of the Commission\xe2\x80\x99s\ncollection of data by its public Internet servers.\n\nIII.    SCOPE AND METHODOLOGY\n\nThis inspection was conducted between January 25, 2001 and February 5, 2001 at the Commission\xe2\x80\x99s\nOffice located at 500 E Street, S.W., Washington, DC. The Office of Inspector General (OIG)\ninterviewed the Trade and Tariff Information Manager and employees in the Office of Information\nServices. Commission office directors were given an opportunity to comment on a draft of this\nInspection Report. Those comments were appropriately incorporated.\n\nThe OIG reviewed Office of Management and Budget (OMB) guidance, General Accounting Office\n(GAO) reports and information available through the web sites of the Chief Information Officers\nCouncil and the General Services Administration. OIG reviewed all Commission public web sites and\nsample copies of logs produced by the Commission\xe2\x80\x99s Internet servers. OIG also used analysis tools\navailable on the Internet.\n\nBased on the information obtained and reviewed, the OIG developed the following independent\nfindings.\n\nIV.     FINDINGS\n\nThe Commission delivers information and services via the Internet using numerous public and non-\npublic web sites. The public web sites are sites in which the Commission provides public information\nand services to the general public. On the Commission\xe2\x80\x99s non-public web sites, access is limited to\nemployees of the Commission or working groups of government employees. Several web servers that\nhave various hardware and software configurations service both the public and non-public web sites.\nThis review focused on the Commission\xe2\x80\x99s public web sites:\n\n\xc3\x98 Home Page:         The http://www.usitc.gov site serves as a portal to the other public web sites\n  of the Commission. This site also contains general information and news about the Commission,\n  most agency publications and access to the Harmonized Tariff Schedule. The Commission also\n  provides ftp services on this server at: ftp://ftp.usitc.gov/.\n\n\n                                                   1                        Office of Inspector General\n                                                                    U.S. International Trade Commission\n\x0c          Information Collection on USITC Internet Servers                                                                                                                                                                                  OIG-IR-02-01\n\n\n          \xc3\x98 EDIS On-Line: The http://dockets.usitc.gov site provides access to docketing information and\n            access to public documents filed with the Secretary's Office in Commission investigations. The\n            site can be used to view page images and request print copies of the public documents filed in\n            Commission investigations instituted since 1996.\n          \xc3\x98 Section 337 Cases: The http://info.usitc.gov/337 site contains Section 337 case history\n            information.\n          \xc3\x98 Sunset Reviews: The http://info.usitc.gov/oinv/sunset.nsf site contains general and scheduling\n            information regarding the Commission\xe2\x80\x99s Five Year Sunset Reviews.\n          \xc3\x98 DataWeb: The http://dataweb.usitc.gov site offers various trade and tariff data.\n          \xc3\x98 Library Catalog: The http://205.197.120.8/webopac/cgi/swebmnu.exe?act=3&ini=splusweb site\n            contains a searchable copy of the Library Catalog.\n          \xc3\x98 Directory:          The http://radiator.ustic.gov site contains a searchable copy of the\n            Commission\xe2\x80\x99s phone book.\n\n                  Log Files\n\n          The Commission\xe2\x80\x99s public web servers and firewall automatically create separate log information\n          about visitors to Commission web servers.\n\n          The Commission uses a firewall to collect data regarding any access or attempted access to\n          Commission Internet resources. Specifically, the firewall log records the visitor\xe2\x80\x99s IP address\n          information and data similar to that collected by the public web servers. The firewall log also records\n          attempts by visitors to perform improper actions against agency resources.\n\n          Table 1 below charts specific information collected by the Commission\xe2\x80\x99s public web servers.\n\n                  Information Collected\n                                                                                                                                                  http://dataweb.usitc.gov\n\n\n\n\n                                                                                                                                                                                               http://radiator.usitc.gov\nTABLE 1\n\n\n\n\n                                                                                              http://dockets.usitc.gov\n                                                 http://www.usitc.gov\n\n\n\n\n                                                                                                                         http://info.usitc.gov/\n                                                                        ftp://ftp.usitc.gov\n\n\n\n\n                                                                                                                                                                             Library Catalog\n\n\n\n\n                  Date/Time Internet                                                                                                                                                               X\n                                                        X                        X                               X           X                        X                        X\n                  Server Accessed\n                  IP Address of Visitor                 X                        X                               X           X                        X                        X                   X\n                  Username                                                       X\n                  Server Name & IP Address              X                        X                                           X                        X                                            X\n                  Hypertext Transfer Protocol\n                                                        X                        X                               X           X                        X                        X                   X\n                  Request Method\n                  File or Page Requested                X                        X                               X           X                        X                        X                   X\n                  Status of Request                     X                        X                                           X                        X                        X                   X\n                  Size of File or Page                  X                        X                                                                    X                                            X\n                  Time to Complete                      X                        X                                                                    X                        X                   X\n                  Visitor\xe2\x80\x99s Browser Type                X                                                                    X                        X                        X                   X\n                  Visitor\xe2\x80\x99s Operating System            X                                                                    X                                                                     X\n                  Visitor\xe2\x80\x99s referring Web page          X                                                                    X                        X                                            X\n\n\n\n\n                                                                                                                         2                                                                                                         Office of Inspector General\n                                                                                                                                                                                                                           U.S. International Trade Commission\n\x0cInformation Collection on USITC Internet Servers                                                                      OIG-IR-02-01\n\n\n            Cookies\n\n            A cookie is a short string of text that maybe sent from a web server to a web browser\n            when the browser accesses a web page. Generally there are two types of cookies:\n            session cookies and persistent cookies. Session cookies are short-lived, are used only\n            during the browsing session, and expire when the visitor quits the browser or sooner.\n            Persistent cookies specify expiration dates, remain stored on the client\xe2\x80\x99s computer\n            until the expiration date, and can be used to track visitors\xe2\x80\x99 browsing behavior by\n            identifying their Internet addresses whenever they return to a site. GAO-01-147R,\n            Federal Use of Cookies.\n\nOur review of the Commission\xe2\x80\x99s use of cookies revealed the Commission does not use any persistent\ncookies but uses session cookies on several of its Internet sites (See Table 2). In general, session\ncookies are used by the Commission on several sites to collect basic information regarding site access.\nAlso, session cookies are used on the http://dockets.usitc.gov site to keep track of the number and\nquantity of documents a visitor places in a shopping cart until checkout.\n TABLE 2\n\n\n\n\n           Cookies      www.usitc.gov   dockets.usitc.gov   info.usitc.gov   dataweb.usitc.gov      Library Catalog    radiator.usitc.gov\n           Session\n                              X                X                   X                 X                     X\n           Cookies\n           Persistent\n           Cookie\n\n\n\n\n            Voluntary Submission of Personally Identifying Information\n\nIn certain transactions with the public, the Commission collects personally identifiable information\nwhere the visitor voluntarily provides the information. For instance in an email to the Commission,\nthe individual may provide personally identifying information. We found no areas where the\nCommission collects personally identifying information involuntarily or through the use of third\nparties or contractors.\n\nOn two servers, http://dataweb.usitc.gov and http://dockets.usitc.gov, the Commission provides web\nforms which permit visitors to voluntarily submit personally identifying information.\n\nWe found in regards to http://dataweb.usitc.gov, visitors are required to register prior to being\ngranted access to some areas on the site. Data collected during registration includes name, email,\nphone, agency or firm type, and agency name. Pursuant to the Paperwork Reduction Act, the Office\nof Management and Budget has approved the collection of this information. (OMB No: 3117-0190\nExp Date 1/31/2003). The Commission currently tracks every login, query and list made to evaluate\nthe impact of visitor activity on system resources. This tracking is performed to improve service as\nwell as for the purpose of evaluating more expansive offerings in this area. This information is\narchived by Commission computers and some data, not including personally identifying information,\nhave been made available under FOIA.\n\n\n\n\n                                                                     3                                   Office of Inspector General\n                                                                                                 U.S. International Trade Commission\n\x0cInformation Collection on USITC Internet Servers                                       OIG-IR-02-01\n\n\n\n\nIn regards to http://dockets.usitc.gov, visitors who request copies of documents are requested to\nprovide their name, phone number, address, delivery method and method of payment. This\ninformation is then provided to a contractor who processes the order. This information is destroyed\nafter an order is processed.\n\n        Privacy Statement\n\nWe reviewed the adequacy of the Commission\xe2\x80\x99s Privacy Statement located at\nhttp://www.usitc.gov/privacy.htm. In general, the statement is adequate but should be more specific\nas to give the public more guidance as to what is automatically being recorded by the Commission\xe2\x80\x99s\nInternet server log files (see Table 1) and what information is being collected via web forms and\nemails and the disposition of that information.\n\nIn accordance with OMB Guidance (M-99-18), links to the Privacy Statement should exist at major\nentry points to agency web sites. Currently, sites such as, http://info.usitc.gov/337 and\nhttp://radiator.ustic.gov, have no link to the Privacy Statement.\n\nAdditionally, the Privacy Statement provides no notice of the use of session cookies.\n\nWe requested that the Commission address these issues in its Privacy Statement and the Commission\nhas agreed to do so.\n\nV.      CONCLUSIONS\n\nBased on our findings, we conclude that currently the Commission is collecting personally identifying\ninformation via its Internet servers only to the extent necessary to perform adequate analysis of site\nperformance, maintain security and transact business with the general public. We made a\nrecommendation as to the content of the Commission\xe2\x80\x99s Privacy Statement and that recommendation\nwas accepted.\n\n\n\n\n                                                   4                          Office of Inspector General\n                                                                      U.S. International Trade Commission\n\x0c"